Description
A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation
Published: 2026-04-14
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap based buffer overflow exists in Fortinet FortiAnalyzer Cloud and FortiManager Cloud versions 7.6.2 through 7.6.4. If an attacker sends a specially crafted request, they can trigger the overflow and achieve remote code execution or arbitrary command execution without authentication. The weakness, classified as CWE-122, undermines confidentiality and integrity, empowering an attacker to compromise the affected system fully.

Affected Systems

Systems running Fortinet FortiAnalyzer Cloud from version 7.6.2 up to 7.6.4 and FortiManager Cloud from version 7.6.2 to 7.6.4 are impacted. Updating to version 7.6.5 or later, or to the forthcoming 8.0.0 series, resolves the issue and restores secure operation.

Risk and Exploitability

The CVSS base score of 7.3 indicates a high severity and highlights the remote and unauthenticated nature of the exploit. Although the exploit would require significant preparation work, such as bypassing address‑space layout randomization and navigating network segmentation, the potential impact is severe. The vulnerability is not listed in CISA’s KEV catalog, and EPSS data is unavailable, so current exploitation prevalence is unclear, but the high severity warrants immediate mitigation through the recommended upgrade.

Generated by OpenCVE AI on April 14, 2026 at 17:38 UTC.

Remediation

Vendor Solution

Upgrade to upcoming FortiManager Cloud version 8.0.0 or above Upgrade to FortiManager Cloud version 7.6.5 or above Upgrade to upcoming FortiAnalyzer Cloud version 8.0.0 or above Upgrade to FortiAnalyzer Cloud version 7.6.5 or above

OpenCVE Recommended Actions

  • Upgrade FortiAnalyzer Cloud and FortiManager Cloud to version 7.6.5 or later, or to the upcoming 8.0.0 release.
  • Confirm that the upgrade succeeds and restart services if required.
  • If the upgrade cannot be applied immediately, restrict API access and monitor for suspicious traffic.

Generated by OpenCVE AI on April 14, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Heap Based Buffer Overflow in Fortinet FortiAnalyzer Cloud and FortiManager Cloud Allowing Remote Code Execution

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortianalyzer Cloud
Fortinet fortimanager Cloud
Vendors & Products Fortinet fortianalyzer Cloud
Fortinet fortimanager Cloud

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation
First Time appeared Fortinet
Fortinet fortianalyzercloud
Fortinet fortimanagercloud
Weaknesses CWE-122
CPEs cpe:2.3:a:fortinet:fortianalyzercloud:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortianalyzercloud:7.6.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortianalyzercloud:7.6.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanagercloud:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanagercloud:7.6.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimanagercloud:7.6.4:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortianalyzercloud
Fortinet fortimanagercloud
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Fortianalyzer Cloud Fortianalyzercloud Fortimanager Cloud Fortimanagercloud
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-15T03:58:26.193Z

Reserved: 2026-01-12T08:32:04.788Z

Link: CVE-2026-22828

cve-icon Vulnrichment

Updated: 2026-04-14T16:36:59.949Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:37.110

Modified: 2026-04-17T15:11:56.183

Link: CVE-2026-22828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses